Advisory:

WordPress 3.5.2 contains a plain text content injection vulnerability

Vulnerability

Last revised: July 17, 2013

WordPress 3.5.1 contains an error message relating to the use of an invalid feed template which emits user output. It is not possible to include HTML in this field, but text content can be injected. For example: